Skip to content

Pages chroot doesn't copy Custom CA - breaking HTML artifacts

From !51 (merged):

On top of that gitlab-pages chroot deamon will now create a complete jail with /etc/resolv.conf, a copy of SSL_CERT_FILE placed in /etc/ssl/ca-bundle.pem, and a bind mount of pages-root on /pages.

SSL_CERT_FILE is the bundle located at /opt/gitlab/embedded/ssl/certs/cacert.pem, however we have added our own custom CA to /etc/gitlab/trusted-certs/customcacert.pem as per https://docs.gitlab.com/omnibus/settings/ssl.html#details-on-how-gitlab-and-ssl-work

From looking at https://gitlab.com/gitlab-org/gitlab-pages/blob/master/daemon.go#L126 I can see that the single SSL_CERT_FILE is copied, but I do not see anything attempting to copy custom CAs.

The result of this is that HTML artifacts are unable to be seen via the pages daemon, presumably as it requests it via our internal domain, served with a cert signed by our custom CA.